Monday, December 22, 2014

Backoff Point of Sell malware

On July 29, 2014, the US-CERT (Computer Emergency Readiness Team) issued an alert regarding a new Point of Sale malware it dubbed Backoff - the first public disclosure of this threat. The name was probably coined after a string found in the code of one of the versions of the variant that was analyzed by the US CERT.

The Backoff threat is currently targeting mostly US businesses, and has managed to compromise more than a thousand different business entities. Its main target as POS malware is to obtain the magnetic data gathered from credit/debit cards swiped in point of sale stations. The data is then sent to a Command & Control (C&C) server operated by the fraudster.

The product of a private financial fraud group, this threat is continuously being developed, and has been operating since October 2013 according to evidence collected in the wild. In this report I provide the full story of the Backoff operation, including: bot analysis, a behind- the-scenes look at the Backoff server-side and how it operates, background information on its operator, and statistics on the geographic distribution and reach of the malware based on my research.

Full research paper